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1 Please stand; now, please be seated. 



Neighbors, please join me in reading this tenth 
release of the International Journal of Proof of Con- 
cept or Get the Fuck Out, a friendly little collection 
of articles for ladies and gentlemen of distinguished 
ability and taste in the field of software exploitation 
and the worship of weird machines. This is our tenth 
release, given on paper to the fine neighbors of Novi 
Sad, Serbia and Stockholm, Sweden. 

If you are missing the first nine issues, we the 
editors suggest pirating them from the usual loca- 
tions, or on paper from a neighbor who picked up a 
copy of the first in Vegas, the second in Sao Paulo, 
the third in Hamburg, the fourth in Heidelberg, the 
fifth in Montreal, the sixth in Las Vegas, the seventh 
from his parents’ inkjet printer during the Thanks- 
giving holiday, the eighth in Heidelberg, or the ninth 
in Montreal. 

Page 4 contains our very own Pastor Manul 
Laphroaig’s sermon on Newton and Turing, in which 
we learn about the academics’ affection for Turing- 
completeness and why they should be allowed to 
marry it. 

On page 7, Colby Moore provides all the details 
you’ll need to sniff simplex packets from the Glob- 
alstar satellite constellation. 

Page 12 introduces some tips by Peter Hlavaty of 
the Keen Team on kernel pool spraying in Windows 
and Linux. 

Page 19 presents the results of the second Under- 
handed Crypto Contest, held at the Crypto Village 
of Defcon 23. 




On page 21, Sophia D ’Antoine introduces some 
tricks for communicating between virtual machines 
co- located on the same physical host. In particular, 
the mf ence instruction can be used to force strict or- 
dering, interfering with CPU instruction pipelining 
in another VM. 

Eric Davisson, on page 26, presents a nifty lit- 
tle trick for causing quarantined malware to be re- 
detected by McAfee Enterprise VirusScan! This par- 
ticular tumor is benign, but we bet a neighborly 
reader can write a malignant variant. 

Ron Fabela of Binary Brew Works, on page 28, 
presents his recipe for TCP/IPA, a neighborly beer 
with which to warm our hearts and our spirits dur- 
ing the coming apocalypse. 

Our centerfold in this issue is the schematic dia- 
gram to an Electronika BK 0010-01 computer from 
the USSR. You wouldn’t believe how difficult it is 
to google the proper way to render a centerfold in 
DTeX! 

Vogelfrei shares with us some tricks for APRS 
and AX. 25 networking on page 34. APRS exists 
around much of the western world, and all sorts of 
mischief can be had through it. (But please don’t 
be a jerk.) 

Much as some readers think of us as a secu- 
rity magazine, we are first and foremost a systems- 
internals journal with a bias toward the strange and 
the classic designs. Page 40 contains a reprint, in 
the original Serbian, of Voja Antonie’ article on the 
Galaksija, his Z80 home computer design, the very 
first in Yugoslavia. 

fbz is a damned fine neighbor of ours, both a 
mathematician and a musician. On page 60 you’ll 
find her latest single, Root Rights are a GrrVs Best 
Friend! If you’d rather listen to it than just read 
the lyrics, run vie pocorgtfo09.pdf and jump to 
page 61, where Philippe Teuwen describes how he 
made this fine document a polyglot of PDF, ZIP, 
and WavPack. 

On page 62, you will find Oona’s Puzzle Corner, 
with all sorts of nifty games for a child of five. If 
you aren’t clever enough to solve them, then ask for 
help from a child of five! 

On page 64, the last and most important 
page, we pass around the collection plate. Pastor 
Laphroaig doesn’t need a touring jumbo jet like 
those television and radio preachers; rather, this 
humble worshiper of the weird machines needs a 
Turing jumbo jet with which to storm Heaven! 
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1 Academics should just marry Turing Completeness already !” 

—the grugq 



2 From Newton to Turing, a Happy Family 

by Pastor Manul Laphroaig D.D. 



When engineers first gifted humanity with horse- 
less carriages that moved on rails under their own 
power, this invention, for all its usefulness, turned 
out to have a big problem: occasional humans and 
animals on the rails. This problem motivated many 
inventors to look for solutions that would be both 
usable and effective. 




Unfortunately, none worked. The reason for 
this is not so easy to explain— at least Aristotelian 
physics had no explanation, and few scientists till 
Galileo’s time were interested in one. On the one 
hand, motion had to brought on by some force and 
tended to kinda barrel about once it got going; on 
the other hand, it also tended to dissipate eventu- 
ally. It took about 500 years from doubting the 
Aristotelian idea that motion ceased as soon as its 
impelling force ceased to the first clear pronounce- 
ment that motion in absence of external forces was 
a persistent rather than a temporary virtue; and an- 
other 600 for the first correct formulation of exactly 
what quantities of motion were conserved. Even so, 
it took another century before the mechanical con- 
servation laws and the actual names and formulas 
for momentum and energy were written down as we 
know them. 




These days, “conservation of energy” is supposed 
to be one of those word combinations to check off 
on multiple-choice tests that make one eligible for 
college. 1 Yet we should remember that the steam 
engine was invented well before these laws of clas- 
sical mechanics were made comprehensible or even 
understood at all. Moreover, it took some further 
40-90 years after Watt’s ten- horsepower steam en- 
gine patent to formulate the principles of thermody- 
namics that actually make a steam engine work— by 
which time it was chugging along at 10,000 horse- 
power, able to move not just massive amounts of 
machinery but even the engine’s own weight along 
the rails, plus a lot more. 2 

All of this is to say that if you hear scientists 
doubting how an engineer can accomplish things 
without their collective guidance, they have a lot 
of history to catch up with, starting with that thing 
called the Industrial Revolution. On the other hand, 
if you see engineers trying to build a thing that just 
doesn’t seem to work, you just might be able to point 
them to some formulas that suggest their energies 
are best applied elsewhere. Distinguishing between 
these two situations is known as magic, wisdom, ex- 
treme luck, or divine revelation; whoever claims to 
be able to do so unerringly is at best a priest, 3 not 
a scientist. 



1 Whether one actually understands them or not — and, if you value your sanity, do not try to find if your physics teachers 
actually understand them either. You have been warned. 

2 Not that stationary steam engines were weaklings either: driving ironworks and mining pumps takes a lot of horses. 

3 Typically, of a religion that involves central planning and state-run science. This time they’ll get it right, never fear! 
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There is an old joke that whatever activity needs 
to add “science” to its name is not too sure it is one. 
Some computer scientists may not take too kindly 
to this joke, and point out that it’s actually the 
word “computer” that’s misleading, as their science 
transcends particular silicon- and-copper designs. It 
is undeniable, though, that hacking as we know it 
would not exist without actual physical computers. 

As scientists, we like exhaustive arguments: ei- 
ther by full search of all finite combinatorial pos- 
sibilities or by tricks such as induction that look 
convincing enough as a means of exhausting infinite 
combinations. We value above all being able to say 
that a condition never takes place, or always holds. 
We dislike the possibility that there can be a situa- 
tion or a solution we can overlook but someone may 
find through luck or cleverness; we want a yes to 
be a yes and a no to mean no way in Hell. But ei- 
ther full search or induction only apply in the world 
of ideal models— call them combinatorial, logical, or 
mathematical— that exclude any kinds of unknown 
unknowns. 

Hence we have many models of computation: 
substituting strings into other strings (Markov algo- 
rithms), rewriting formulas (lambda calculus), au- 
tomata with finite and infinite numbers of states, 
and so on. The point is always to enumerate all fi- 
nite possibilities or to convince ourselves that even 
an infinite number of them does not harbor the ones 
we wish to avoid. The idea is roughly the same as 
using algebra: we use formulas we trust to reason 
about any and all possible values at once, but to do 
so we must reduce reality to a set of formulas. These 
formulas come from a process that must prod and 
probe reality; we have no way of coming up with 
them without prodding, probing, and otherwise ex- 
perimenting by hunch and blind groping— that is, by 
building things before we fully understand how they 
work. Without these, there can be no formulas, or 
they won’t be meaningful. 

So here we go. Exploits establish the variable 
space; “science” searches it, to our satisfaction or 
otherwise, or— importantly to save us effort— asserts 
that a full and exhaustive search is infeasible. This 
may be the case of energy conservation vs. trying 
to construct a safer fender— or, perhaps, the case 
of us still trying to formulate what makes sense to 



attempt. 

That which we call the “arms race” is a part of 
this process. With it, we continually update the 
variable spaces that we wish to exhaust; without it, 
none of our methods and formulas mean much. This 
brings us to the recent argument about exploits and 
Turing completeness. 




Knowledge is power . 4 In case of the steam en- 
gine, the power emerged before the kind of knowl- 
edge called “scientific” (if one is in college) or “basic” 
(if one is a politician looking to hitch a ride— because 
actual science has a tradition of overturning its own 
“basics” as taught in schools for at least decades if 
not centuries). In any case, the knowledge of how 
to build these engines was there before the knowl- 
edge that actually explained how they worked, and 
would hardly have emerged if these things had not 
been built already. 




4 The question of whether that which is not power is still knowledge is best left to philosophers. One can blame Nasir al-Din 
al-Tusi for explaining the value of Astrology to Khan Hulagu by dumping a cauldron down the side of a mountain to wake up 
the Khan’s troops and then explaining that those who knew the causes above remained calm while those who didn’t whirled in 
confusion below — but one can hardly deny that being able to convince a Khan was, in fact, power. Not to mention his horde. 
Because a Khan, by definition, has a very convincing comeback for “Yeah? You and what horde?” 
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Our very own situation, neighbors, is not unlike 
that of the steam power before the laws of ther- 
modynamics. There are things that work (pump 
mines, drive factories), and there are official ways of 
explaining them that don’t quite work. Eventually, 
they will merge, and the explanations will catch up, 
and will then become useful for making things that 
work better— but they haven’t quite yet, and it is 
frustrating. 




exploit programming, they not just focused on 
the least practically relevant aspect of it (Tur- 
ing completeness)— but did so to the exclusion of 
all other kinds of niftyness such as information 
leaks, probabilistic programming (heap feng-shui 
and spraying), parallelism (cloning and pinning of 
threads to sap randomization), and so on. That 
focus on the irrelevant to the detriment of the rele- 
vant had really rankled. It was hard to miss where 
the next frontier of exploitation’s hard programming 
tasks and its next set of challenges lay, but oh boy, 



did the academia do it again. 

Yet it is also clear why they did it. Academic 
CS operates by models and exhaustive searches or 
reasoning. Its primary method and deliverable is 
exhaustive analysis of models, i.e., the promise that 
certain bad things never happen, that all possible 
trajectories of a system have been or can be enu- 
merated. 

Academia first saw exploit programming when 
it was presented to it in the form of a model; prior 
to that, their eyes would just slide off it, because it 
looked “ad-hoc”, and one can neither reason about 
“ad-hoc” nor enumerate it (at least, if one wants 
to meet publication goals). When it turned out it 
had a model, academia did with it what it normally 
does with models: automating, tweaking, searching, 
finding their theoretical limits, and relating them to 
other models, one paper at a time . 5 

This is not a bad method; at least, it gave us 
complex compilers and CPUs that don’t crumble 
under the weight of their bugs . 6 Eventually we will 
want the kind of assurances this method creates— 
when their models of unexpected execution are com- 
plete enough and close enough to reality. For now, 
they are not, and we have to go on building our en- 
gines without guidance from models, but rather to 
make sure new models will come from them. 

Not that we are without hope. One only has 
to look to Grsecurity/PaX at any given time to 
see what will eventually become the precise stuff of 
Newton’s laws for the better OS kernels; similarly, 
the inescapable failure modes of data and program- 
ming complexity will eventually be understood as 
clearly as the three principles of thermodynamics. 
Until then our best bet is to build engines— however 
unscientific— and to construct theories— however re- 
moved from real power— and to hope that the en- 
gineering and the science will take enough notice of 
each other to converge within a lifetime, as they have 
had the sense to do during the so-called Industrial 
Revolution, and a few lucky times since. 

And to this, neighbors, the Pastor raises not one 
but two drinks— one for the engineering orienting the 
science, and one for the science catching up with the 
knowledge that is power, and saving it the effort of 
what cannot be done— and may they ever converge! 
Amen. 



5 And some of these papers were true Phrack-like gems that, true to the old-timey tradition, explained and exposed surprising 
depths of common mechanisms: see, for example, SROP and COOP. 

6 While, for example, products of the modern web development “revolution” already do, despite being much less complex 
than a CPU. 
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3 Breaking Globalstar Satellite Communications 



by Colby Moore 

It might be an understatement to say that hackers have a fascination with satellites. Fortunately, with 
advancements in Software Defined Radio such as the Ettus Research USRP and Michael Ossmann’s HackRF, 
satellite hacking is now not only feasible, but affordable. Here we’ll discuss the reverse engineering of 
Globalstar’s Simplex Data Service, allowing for interception of communications and injection of data back 
into the network. 

Rumor has it, that after deployment, Globalstar’s first generation of satellites began to fail, possibly due 
to poor radiation hardening. This affected the return path data link, where Globalstar would transmit to a 
user. To salvage the damaged satellite network, Globalstar introduced a line of simplex products that enable 
short, one-way communication from the user to Globalstar. 

The nature of the service makes it ideal for asset tracking and remote sensor monitoring. While extremely 
popular with oil and gas, military, and shipping industries, this technology is also widely used by consumers. 
A company called SPOT produces consumer- grade asset trackers and personal locator beacons that utilize 
this same technology. 

Globalstar touts their simplex service as “extremely difficult” to intercept, noting that the signal’s “Low- 
Probability-of-Intercept (LPI) and Low- Probability-of-Detection(LPD) provide over-the-air security.” 7 
In this article I’ll outline the basics for reverse engineering the Globalstar Simplex Data Services mod- 
ulation scheme and protocol, and will provide the technical information necessary to interface with the 
network. 

3.1 Network Architecture 

The network is comprised of many Low Earth Orbit, bent-pipe satellites. Data is transmitted from the user 
to the satellite on an uplink frequency and repeated back to Earth on a downlink frequency. Globalstar 
ground stations all over the world listen for this downlink data, interpret it, and expose it to the user via an 
Internet-facing back-end. Each ground station provides a several thousand mile window of data coverage. 

Bent-pipe satellites are “dumb” in that they do not modify the transmitted data. This means that the 
data on the uplink is the same on the downlink. Thus, with the right knowledge, a skilled adversary can 
intercept data on either link. 

3.2 Tools and Code 

This research was conducted using GNURadio and Python for data processing and an Ettus Research B200 
for RF work. Custom proof-of-concept toolsets were written for DSSS and packet decoding. Devices tested 
include a SPOT Generation 3, a SPOT Trace, and a SmartOne A. 

3.3 Frequencies and Antennas 

Four frequencies are allocated for the simplex data uplink. Current testing has only shown operation on 
channel A. 



Channel 


Frequency 


A 


1611.25 MHz 


B 


1613.75 MHz 


C 


1616.25 MHz 


D 


1618.78 MHz 



7 http : //productsupport . globalstar . com/2009/02/09/are-simplex-messages-secure/ 
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Globalstar uses left-hand circular-polarized antennas for transmission of simplex data from the user to 
the satellite. The Globalstar GSP-1620 antenna, designed for transmitting from the user to a satellite, has 
proven adequate for experimentation. 

Downlink is a bit more complicated, and far more faint. Channels vary by satellite, but are within the 
6875-7055 MHz range. Both RHCP and LHCP are used for downlink. 

3.4 Direct Sequence Spread Spectrum 

Devices using the simplex data service implement direct sequence spread spectrum (DSSS) modulation to 
reliably transmit data using low power. DSSS is a modulation scheme that works by mixing a slow data signal 
with a very fast Pseudo Noise (PN) sequence. Since the pseudo-random sequence is known, the resulting 
signal retains all of the original data information but spread over a much wider spectrum. Among other 
benefits, this process makes the signal more tolerant to interference. 

In Globalstar’s implementation of DSSS, packet data is first modulated as non-differential BPSK at 

100.04 bits/second, then spread using a repeating 255 chip PN sequence at a rate of 1,250,000 chips/second. 
Here “chip” refers to one bit of a PN sequence, so that it is not confused with actual data bits. 

3.5 Pseudo Noise Sequence / M-Sequences 

Pseudo Noise (PN) sequences are periodic binary sequences known by both the transmitter and receiver. 
Without this sequence, data cannot be received. The simplex data service uses a specific type of PN sequence 
called an M-Sequence. 

M-Sequences have the unique property of having a strong autocorrelation for phase shifts of zero but 
very poor correlation for any other phase shift. This makes the detection of the PN in unknown data, and 
subsequently locking on to a DSSS signal, relatively simple. 

All simplex data network devices examined use the same PN sequence to transmit data. By knowing one 
code, all network data can be intercepted. 

3.6 Obtaining The M-Sequence 

In order to intercept network data, the PN sequence must be recovered. For each bit of data transmitted, 
the PN sequence repeats 49 times. Data packets contain 144 bits. 



8 



1,250,000 chips 1 second 

x 

1 second 100.04 bits 



1 PN sequence 

x 

255 chips 



49 PN sequences / bit 



The PN sequence never crosses a bit boundary, so it can be inferred that 
xor (PN, data) = PN 



By decoding the transmitted data stream as BPSK, 8 we can demodulate a spread bitstream. Note that 
demodulation in this manner negates any processing gain provided from DSSS and thus can only be received 
over short distances, so for long distances you will need to use a proper DSSS implementation. 

Viewing the demodulated bitstream, a repeating sequence is observed. This is the PN, the spreading 
code key to the kingdom. 

The simplex data network PN code is 1111111100101101011011101010101110010011011010011001101- 
00011101101100010001001111010010010000111100010100111000111110101111001110100001010110010- 
10001011000001100100011000011011111101110000100000100101010010111110000001110011000110101- 
0000000101110111101100. 

3.7 Despreading 

DSSS theory states that to decode a DSSS-modulated signal, a received signal must be mixed once again 
with the modulating PN sequence; the original data signal will then fall out. However, for this to work, the 
PN sequence needs to be phase-aligned with the mixed PN/data signal, otherwise only noise will emerge. 

Alignment of the PN sequence to the data stream if accomplished by correlating the PN sequence against 
the incoming datastream at each sample. When aligned, the correlation will peak. To despread, this 
correlation peak is tracked and the PN is mixed with the sampled RF data. The resulting signal is the 
100.04 bit/second non-differential BPSK modulated packet data. 

3.8 Decoding and Locations 

Once the signal is despread, a BPSK demodulator is used to recover data. The result is a binary stream, 
144 bytes in length, representing one data packet. The data packet format is as follows: 



Field 


Bits 


Description 


Preamble 


(10) 


0000001011 signifies start of packet 


ESN 


(26) 


3 bits for manufacturer ID and 23 bits for unit ID 


Message # 


(4) 


message number modulo 16, saved in non-volatile memory 


Packet # 


(4) 


number of packets in a message 


Packet Seq. # 


(4) 


sequence number for each packet in a message 


User Data 


(72) 


9 bytes of user information, MSB first 


CRC24 


(24) 


CRC is 24 bits with polynomial: 114377431 



Simplex data packets can technically transmit any 72 bits of user defined data. However, the network is 
predominantly used for asset tracking and thus many packets contain GPS coordinates being relayed from 
tracking devices. This data scheme for GPS coordinates can be interpreted with the following Python code. 

latitude = i n t ( user _data [ 8 : 3 2 ] , 2 ) * 90 / 2**23 
longitude = 360 — in t ( user _data [ 3 2 : 5 6 ] ,2) * 180 / 2**23 



8 DSSS theory shows us that DSSS is the same as BPSK for a BPSK data signal. 
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3.9 CRC 



Packets are verified using a 24 bit CRC. The data packet minus the preamble and CRC are fed into the CRC 
algorithm in order to verify or generate a CRC. The following Python code implements the CRC algorithm. 



2 

4 

6 



10 

12 

14 

16 

18 

20 

22 

24 

26 

28 

30 

32 

34 

36 

38 

40 

42 

44 

46 



def crcTwentyfour (TX_Data) : 

k = 0 
m = 0 

TempCRC = 0 
Crc = OxFFFFFF 

for k in range (0,14): #calc checksum on 14 bytes starting with ESN 

#offset to skip part of the preamble (dictated by algorithm) 
TempCRC = int (TX_Data[ (k*8)+8 : (k*8)+8+8 ] , 2) 

if 0 = k: 

#skip 2 preamble bits in byteO 
TempCRC = TempCRC & 0x3f 

Crc = Crc ~ (TempCRC) <<16 



for m in range (0,8) : 

Crc = Crc « 1 

if Crc & 0x1000000: 

#seed CRC 

Crc = Crc ~ 0114377431L 



Crc = ( Crc) & Oxffffff ; 

#end crc generation, lowest 24 bits of the long hold the CRC 

ff first CRC byte to TX_Data 
bytel4 = (Crc Sz OxOOffOOOO) » 16 

#second CRC byte to TX_Data 
bytel5 = (Crc & OxOOOOffOO) » 8 

#third CRC byte to TX_Data 
bytel6 = (Crc & OxOOOOOOff) 

final_crc = (bytel4 « 16) | (bytel5 « 8) | bytel6 

if final _ crc != int (TX_Data[ 1 20 : 1 44] , 2): 
print "Error: CRC failed" 
sys . exit (0) 



3.10 Transmitting 

DISCLAIMER: It is most likely illegal to transmit on Globalstar’s frequencies where you live. Do so at your 
own risk. Remember, no one likes late night visits from the FCC and it would really suck if you interrupted 
someone’s emergency communication! 

By knowing the secret PN code, modulation parameters, data format, and CRC, it is possible to craft 
custom data packets and inject them back into the satellite network. The process is as follows: 

• Generate a custom packet 
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• Calculate and affix the packet’s CRC 



• Spread the packet using the Globalstar PN sequence 

• BPSK modulate the spread data and transmit on the RF carrier 

Various SDR boards should have enough power to communicate with the network, however COTS am- 
plifiers are available for less than a few hundred dollars. Specifications suggests a transmit power of about 
200 milliwatts. 

3.11 Spoofing 

SPOT produces a series of asset trackers called SPOT Trace. SPOT also provides SPOT_Device_Updater .pkg, 
an OS X update utility, to configure various device settings. This utility contains development code that is 
never called by the consumer application. 

The updater app package contains SP0T3FirmwareTool . jar. Decompilation shows that a UI view calls 
a method writeESNO in SPOTDevice . class. You read that correctly, they included the functionality to 
program arbitrary serial numbers to SPOT devices! 

This UI can be called with a simple Java utility. 

import com . globalstar . SPOT3FirmwareTool . UI . Debug Console ; 

2 

public class SpotDebugConsole { 

4 public static void main ( St ring [ ] args) { 

DebugConsole . main ( args ) ; 

6 } 

} 



Upon execution, a debug console is launched, allowing the writing of arbitrary settings including ESNs, to 
the SPOT device. (This functionality was included in Spot Device Updater 1.4 but has since been removed.) 

3.12 Impact 

The simplex data network is implemented in countless places worldwide. Everything from SCADA monitor- 
ing to emergency communications relies on this network. To find that there is no encryption or authentication 
on the services examined is sad. And to see that injection back into the network is possible is even worse. 

Using the specifications outlined here, it is possible— among other things— to intercept communications 
and track assets over time, spoof an asset’s location, or even cancel emergency help messages from personal 
locator beacons. 

One could also enhance their own service, create their own simplex data network device, or use the 
network to transmit their own covert communications. 

3.13 PoC and Resources 

This work was presented at BlackHat USA 2015 and proof-of-concept code is available both by Github and 
within this PDF file. 9 



9 git clone https://github.com/synack/globalstar 
unzip pocorgtfo09.pdf globalstar . tar . bz2 
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